Lord didn't say how the Burger King and Jeep accounts were taken over, although he did go on to cite some frequently repeated password advice. Chief among the recommendations: use a password that's a minimum of 10 characters and includes upper- and lower-case letters, numbers, and symbols. This advice is good, but as Ars demonstrated in August, many passcodes that meet these criteria remain easy pickings for crackers.

A password such as "Sup3rThinkers" (minus the quotes), for instance, may give the illusion of near invincibility, but it eventually fell prey to modern techniques that substitute letters for numbers and append multiple words and then try billions of combinations per second. And, of course, now that the password has been published online, it has no doubt been added to countless password-cracking lists, making that particular password even weaker.

No doubt, Lord's recommendation is useful, but it's by no means adequate. In addition to including 10 characters that include upper- and lower-case letters, numbers, and symbols, passwords must be nonobvious and hard to guess. That means no song or book titles or amalgamations of two words, even if the capitalization or characters have been tweaked. Ars recommends using randomly generated passcodes produced by a password manager such as LastPass or 1Password.

Lord also reminded users to be on the lookout for suspicious links included in direct messages or e-mails leading to imposter websites that masquerade as Twitter. The goal of such sites is to trick users into entering their passwords. He also advised people to keep their passwords private and to ensure that operating systems, browsers, and operating systems up to date with the most recent security patches. This is particularly important for people who use browser plugins based on Oracle's Java software framework or Adobe's Reader and Flash programs.

That's crucial advice. The only thing I'd add is that users should also require Twitter to send an e-mail or text message before allowing an account password to be changed. This setting wasn't on by default in my account. To turn it on, readers should access their account settings and check the box next to the entry "Require personal information to reset my password."

131 Reader Comments

Every one of these articles makes it more clear that the only way to have a secure account is for the company maintaining the account to actually practice security. We're moving ever-closer to the point where a hash of the password "aXh8%29F43;!b" would be cracked in an hour; the only way to stop it is not to let the hash get out.

This is a rather odd way of going about things. They don't need to "call" for anything. They can set up their password system to have any requirements they like. Including rejecting passwords based on heuristic crackers. Or they can just assign passwords with the desired characteristics.

This is a rather odd way of going about things. They don't need to "call" for anything. They can set up their password system to have any requirements they like. Including rejecting passwords based on heuristic crackers. Or they can just assign passwords with the desired characteristics.

They could -- but then that would mean annoying users because they cannot remember their passwords -- Twitter doesn't care *that* much about bad passwords.

Twitter needs to be doing what Google does and has been doing to fight account hijacking... They need to be looking at more that just a password or even 2-step. There are so many other variables that can be taken into consideration when someone logs into an account, and all should have a bearing on whether the account access is legit or suspicious.

Every one of these articles makes it more clear that the only way to have a secure account is for the company maintaining the account to actually practice security. We're moving ever-closer to the point where a hash of the password "aXh8%29F43;!b" would be cracked in an hour; the only way to stop it is not to let the hash get out.

IMO that's not really feasible -- If my company has to protect user's passwords we have to be mistake free 100% of the time, where as a hacker only has to be lucky once to get the passwords. Two factor authentication is the better answer.

Most of the passwords of the world are going to be crackable -- that's why the move to an open, two factor authentication scheme that you can use for anything (your email, Facebook, Google, etc) would be a welcome change.

This is a rather odd way of going about things. They don't need to "call" for anything. They can set up their password system to have any requirements they like. Including rejecting passwords based on heuristic crackers. Or they can just assign passwords with the desired characteristics.

There is the sticky issue of usability to deal with, though.

I'm pretty careful about the way I build my passwords, especially those with administrative-level access. Most people, though, cannot be bothered. I recently was at a sprint, where this topic was being debated regarding password security for a major CMS update.

Sure, it's possible to require that users employ stronger passwords, but if the process becomes overly frustrating, they will just leave...

What happens when lastpass gets attacked? Doesn't that put all of your eggs into one basket?

True, but the difference is that these guys specialize in keeping your passwords secure. Also, the passwords are very well encrypted (and you can change the level of encryption yourself, if you wish). If LastPass was breached, you'd be safe as long as your master password was well chosen.

One of the things that baffles me most about password use in enterprise is that sometimes, a user is required to create a password of exactly a certain length. One system we use at work requires me to create a password of exactly 14 characters and also puts limits on the type of characters I use.

Why would anyone build a system that limits the type of passwords a user can create?

What happens when lastpass gets attacked? Doesn't that put all of your eggs into one basket?

Why don't you look up the security measures Lastpass takes. It gets hashed a full 3 times before it ever even makes it to the server. All of the encryption and decryption is handled client side. If their servers were ever fully breached, the best the attackers would get (out of me specifically) are passwords that were hashed 3 times, each with 20,000 iterations of PBKDF2 and then encrypted using AES256.

Twitter remains the only major service without two factor. Until the media starts hammering them on this - and they're not - nothing will change. A simple question for Ars: how many articles about Twitter passwords do you all plan to write before you start pointing out how far behind Twitter is in its authentication layers? No two factor, and the mobile phone hole is still there. If the media isn't holding them to account, nothing will change.

Actually, if you want good security, you must use something like PawHash (Chrome Extension; mentions a compatible Firefox extension in description). Why? It hashes the sitename & your master password to generate the site-specific password, so all you have to do is remember the master password. You don't have to back up any files, you don't have to use a password manager. Just that extension or the compatible Firefox extension.

Theoretically if you have a reasonably strong password of sufficient length and variety of characters you're still better off. If hackers get access to hashes several hundred thousand passwords, and stronger passwords take considerably longer to crack (even when they have access to a dedicated array of GPUs), and the hackers goal is to crack as many possible in a reasonable amount of time (before users are made aware of the hack and start changing their passwords), it seems likely that the hackers will attempt to brute force through with an escape of maybe a few million guesses on a single hash and then move on in order to get the "low hanging fruit" quickly.

One trick I heard years ago that I love to use is to pick a few random words (usually based on things I can see), like "CableWalletCanTape", and then move your fingers over one key to the right and type them out. Easy to remember, and decently secure, as that password would become "Vsn;rEs;;ryVsnYs[r".

Is it so hard to find a unique sentence or paragraph to encode a password from = Iish2fausopteapf

I have logins for nearly 200 different websites, and I only started keeping track last year. Make a unique password (and often a unique username) for each website, and that starts to add up to a lot of sentences to remember.

Can someone explain why a password manager like 1password mentioned in the article is more secure than simply remembering my passwords? Can't the program be hacked just like anything else is?

If you can remember a unique, high-entropy password for every different site you visit, then no. Most people cannot, however.

The expectation, depressingly common among many IT types, that most people should devote their time to coming up with a unique strategy for generating and remembering high-entropy passwords is asinine in the extreme. It is a massive sink of time, training resources and is ultimately futile.

Your favorite pet strategy-- using titles of book on your bookshelf, or remembering names of teachers, or whatever-- is only useful as long as it's rare. As soon as, say, a large number of employees at one major corporation start using the same strategy, it becomes useful to devise new dictionary attacks based on it. There already exist proof-of-concept attacks using grammar to narrow the guessing field for long passphrases.

Perhaps it's a clue for corporations, especially large corporations, to take social media (and its security) seriously and task someone other than the intern with the responsibility. Alas, that would be much less entertaining.

Can someone explain why a password manager like 1password mentioned in the article is more secure than simply remembering my passwords? Can't the program be hacked just like anything else is?

How precisely is anybody supposed to remember the vast number of passwords that most of us now have for every site we register at? Are you kidding? I have passwords to dozens of different sites - forums, blogs, banks, ebay, retail sites - all are unique and complex, but are impossible to remember. The human brain just doesn't work like that - in fact Ars posted an article about that a while back - the human brain deals poorly in general with remembering random sequences of characters.

You can't expect people to memorize their entire password list, and keep them all unique and complex at the same time. Thus the benefit of software like 1password or lastpass (Abine privacy suite for Firefox also manages passwords and can generate random passwords).

What happens when lastpass gets attacked? Doesn't that put all of your eggs into one basket?

Why don't you look up the security measures Lastpass takes. It gets hashed a full 3 times before it ever even makes it to the server. All of the encryption and decryption is handled client side. If their servers were ever fully breached, the best the attackers would get (out of me specifically) are passwords that were hashed 3 times, each with 20,000 iterations of PBKDF2 and then encrypted using AES256.

Now, if I could steal a line from Taken if nobody minds; "Good luck."

So, if an attacker could corrupt the software to prevent the encryption from taking place client side, you'd be hosed. Still not convinced that Lastpass is 100% secure. Anything that increases the value of attacking lastpass, such as lots of important people storing credentials for dozens of sites on it, increases the chance that a group will spend thousands of hours attacking it.

Theoretically if you have a reasonably strong password of sufficient length and variety of characters you're still better off. If hackers get access to hashes several hundred thousand passwords, and stronger passwords take considerably longer to crack (even when they have access to a dedicated array of GPUs), and the hackers goal is to crack as many possible in a reasonable amount of time (before users are made aware of the hack and start changing their passwords), it seems likely that the hackers will attempt to brute force through with an escape of maybe a few million guesses on a single hash and then move on in order to get the "low hanging fruit" quickly.

Except that a smart password cracker is probably aware that higher-entropy passwords are more likely to be reused, so it becomes useful to let the GPU cluster keep cranking on those uncracked passwords.

Password crackers: just as smart as your brilliant password scheme since 1972.

Can someone explain why a password manager like 1password mentioned in the article is more secure than simply remembering my passwords? Can't the program be hacked just like anything else is?

There's a couple of reasons. If you're relying solely on your memory for passwords, the strong tendency for most people is to use shorter, easier to remember passwords, while using a password manager makes it easier to use longer/more complex passphrases. Making passphrases longer makes them more difficult to break.

Also, when relying on memory, there's a strong tendency for people to use only one (or only a few) passwords for multiple accounts. If you do that, having one account compromised immediately makes all of your other accounts suspect.

Using a password manager addresses both of those issues. If you don't need to explicitly remember your password, you can make it arbitrarily long and complex, and there's also no benefit in reusing passwords for different accounts.